RE: Linux hardware firewall question

From: Greg Horne (greg@flashaccess.com)
Date: 02/28/02 

From: "Greg Horne" <greg@flashaccess.com>
To: "'Lee Leahu'" <lee@ricis.com>, <security-basics@securityfocus.com>
Date: Thu, 28 Feb 2002 14:47:45 -0800

When I was writing my script I decided to look at lots of examples. I
would highly recommend http://monmotha.mplug.org/firewall/index.php.
It's very complete, and is always getting better. It protects against
floods, bad packets, and has configuration options for just about
everything IPTables offers. The only thing that you may have to do (I
see that you used ip_forward already) is load certain features
automatically so you don't have to re-run the script after each boot.

In my /etc/rc.d/rc.local I added:

/etc/sysconfig/firewall_scripts/./rc.firewall
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/eth1/accept_source_route

/sbin/depmod -a
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

Once you are happy with the script, remember to:

/etc/rc.d/init.d/iptables save

- - -
Greg Horne

> -----Original Message-----
> From: Lee Leahu [mailto:lee@ricis.com]
> Sent: Wednesday, February 27, 2002 9:41 AM
> To: security-basics@securityfocus.com
> Subject: RE: Linux hardware firewall question
>
> Hi.
>
> I have at home a small network of 4 computers hooked up to an 8 port
> netgear 10/100 switch,
> which then feeds into my Linux router / firewall which feeds into my
3com
> cable modem which
> feeds into at&t's cable modem network.
>
> My linux firewall/router is basically a Pentium 233 MMX with 64 Megs
of
> ram and 8Gb hard drive.
>
> I wrote a script called 'firewall' and chmod +x 'd it.
>
> <snip>
> # allow packet forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # flush tables
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -t nat -F PREROUTING
> iptables -t nat -F POSTROUTING
> iptables -t nat -F OUTPUT
>
> # allow packes from my work
> iptables -A INPUT -i eth0 -s 64.244.234.0/23 -j ACCEPT
>
> # log and drop everything else connecting TO my firewalll
> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j LOG
--log-prefix
> " input-drop "
> iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
>
> # allow certan packets through to interanll computers
> iptables -A FORWARD -i eth0 -p tcp --dport 4000 -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --sport 5190 -j ACCEPT
> iptables -A FORWARD -i eth0 -p tcp --dport 1214 -j ACCEPT
>
> # log and drop everything else
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j LOG --log-
> prefix " forward-drop "
> iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
>
> # setup masquerading for outgoing traffic
> iptables -t nat -A POSTROUTING -j MASQUERADE
> </snip>
>
> This setup has basically worked fine so far. If anyone has any
suggestions
> on my setup,
> I am open to suggestions.
>
> At 02:53 2002-02-26, you wrote:
> >I operate a small network of about 5 computers and am considering
setting
> up
> >a pc to operate as a firewall/router for the network. The network
does no
> >recieve much traffic at all and trying to figure out hardware wise
what I
> need
> >the topology I have decided to go with is that each box on the
network
> will have
> >its own nic on the pc. Additionally, if anyone can suggest
documentation
> on how
> >to set this up software wise I would appreciate it.
> >
> >I have some experience with iptables, but an unsure exactly how I
would
> set this
> >up? Again any help would be appreciated.
> >
> >Thank you.
> >
> >J. Ferguson
>
> Lee
> lee@ricis.com

Relevant Pages

  • Re: Questions on some wierd /var/log entries
    ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    (comp.os.linux.misc)
  • Re: split/isolate network
    ... R> as part of the network set-up? ... R> A script is how you would make it permanent. ... R> writing your own firewall rules. ... R> You'll also want to read up on NAT ...
    (Ubuntu)
  • Re: Cable Modem, DHCP and IP Tables
    ... >> Any pointers on setting up RH 7.3 as a firewall between my ... > As far as the iptables coding, I have the iptables kick off ... Not that their is anything wrong with useing RH as the a router between your ... internal and the external network. ...
    (comp.os.linux.security)
  • Re: Request help with simple network
    ... You do need to let DNS queries through the firewall, ... >> well as web browser connections. ... the machines behind the network to get them working (they just had the ... Below is my networking script, I run it *ONCE* on my gateway PC, whenever ...
    (alt.os.linux.redhat)
  • Re: Vserver networking: to make a forward only.
    ... You could also install a physical network card for each VM ... It is my hand made script. ... You can make your own firewall script if you want to, but it's, hmm, ...
    (Debian-User)